Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ITIL 4 InfoSec Practice Questions

Pass your ITIL 4 Practitioner: Information Security Management exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is the BEST definition of Privileged Access Management (PAM)?

A
B
C
D
to track
Same family resources

Explore More ITIL Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

ITIL 4 Foundation

Practice Questions
1 blog

ITIL 4 Managing Professional

Practice Questions

ITIL 4 Specialist: Create, Deliver and Support

Practice Questions

ITIL 4 Strategic Leader

Practice Questions

ITIL 4 Strategist: Direct, Plan and Improve

Practice Questions

ITIL 4 Leader: Digital and IT Strategy (DITS)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleITIL 4 Foundation 2026: Scenario-Question Strategy to Consistently Score Above 80%12 min read
2026 Statistics

Key Facts: ITIL 4 InfoSec Exam

28/40

Passing Score

70% (PeopleCert)

60 min

Exam Duration

PeopleCert (75 min for non-native English)

40 Qs

Multiple Choice

Closed-book OTQ format

Foundation

Prerequisite

ITIL 4 Foundation required

$310

Exam Fee

PeopleCert region-dependent USD

3 Years

Cert Validity

Renewal via CPD or re-exam

The ITIL 4 InfoSec exam has 40 multiple-choice questions in 60 minutes (75 minutes for non-native English speakers), closed-book, with a 70% pass mark (28/40). It covers the CIA triad and supporting security objectives; ISO/IEC 27001:2022 ISMS, NIST CSF 2.0, CIS Controls v8; policy/standard/procedure hierarchy; risk-based approach (identify, assess, treat, accept residual, monitor); data classification and DLP; encryption (AES-256, TLS 1.3, HSM, BYOK); IAM (MFA, FIDO2, SSO, RBAC, ABAC, PAM/JIT); Zero Trust (NIST 800-207), ZTNA, SASE, micro-segmentation; security operations (SIEM, SOAR, EDR/XDR); incident response (NIST 800-61); MITRE ATT&CK, Cyber Kill Chain, STIX/TAXII; application security (OWASP Top 10, SAST/DAST/SCA, SBOM, SLSA); cloud security (shared responsibility, CSPM, CASB, Kubernetes); regulatory frameworks (GDPR, PCI DSS, NIS 2, DORA); and integration with Change Enablement, Incident Management, Service Continuity, and other ITIL practices.

Sample ITIL 4 InfoSec Practice Questions

Try these sample questions to test your ITIL 4 InfoSec exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What is the primary purpose of the Information Security Management practice in ITIL 4?
A.To prevent every cyber attack at any cost and replace IT operations
B.To protect the information needed by the organization to conduct its business, ensuring confidentiality, integrity, and availability
C.To enforce compliance with ITIL 4 Foundation requirements across all teams
D.To act as the sole owner of organizational risk and replace enterprise risk management
Explanation: ITIL 4 defines the purpose of Information Security Management as protecting the information needed by the organization to conduct its business — the CIA triad of confidentiality, integrity, and availability, plus authenticity, non-repudiation, accountability, and reliability. It is a business-enabling practice, not a blocker.
2Which acronym represents the three core security objectives at the heart of Information Security Management?
A.AAA — Authentication, Authorization, Accounting
B.CIA — Confidentiality, Integrity, Availability
C.RTO/RPO — Recovery Time/Point Objectives
D.KPI — Key Performance Indicators
Explanation: CIA (Confidentiality, Integrity, Availability) is the foundational triad of information security. ITIL 4 also recognises authenticity, non-repudiation, accountability, and reliability as supporting objectives.
3Which property of information is compromised when an unauthorized user can read a confidential customer record?
A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
Explanation: Confidentiality protects information from disclosure to unauthorized people. Unauthorized read access is a classic confidentiality breach.
4A ransomware attack encrypts the company's file server. Which CIA property is MOST directly compromised?
A.Confidentiality
B.Integrity
C.Availability
D.Authenticity
Explanation: Ransomware that encrypts files makes them unusable by authorized users, directly compromising availability. Modern ransomware also exfiltrates data (impacting confidentiality) but the primary attack vector against the file server is availability denial.
5Which information security property ensures that an actor cannot later deny having performed a recorded action?
A.Confidentiality
B.Integrity
C.Non-repudiation
D.Availability
Explanation: Non-repudiation provides cryptographic and procedural evidence (digital signatures, immutable logs) that a party cannot credibly deny an action. It supports accountability and forensic investigation.
6Which international standard specifies requirements for an Information Security Management System (ISMS)?
A.ISO/IEC 20000-1
B.ISO/IEC 27001:2022
C.ISO/IEC 19770-1
D.ITIL 4 Foundation
Explanation: ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). ISO/IEC 27002 provides controls guidance to support it.
7The NIST Cybersecurity Framework 2.0 organizes outcomes into six Functions. Which set lists them correctly?
A.Plan, Build, Run, Improve, Govern, Monitor
B.Identify, Protect, Detect, Respond, Recover, Govern
C.Strategy, People, Process, Technology, Partners, Value
D.Prevent, Detect, Correct, Compensate, Direct, Audit
Explanation: NIST CSF 2.0 (released 2024) adds 'Govern' to the original five Functions: Identify, Protect, Detect, Respond, Recover. Govern sits at the center to direct and oversee the others.
8What is the BEST description of the relationship between ITIL 4 Information Security Management and ISO/IEC 27001?
A.ISO/IEC 27001 replaces the ITIL 4 practice
B.ITIL 4 Information Security Management describes how to integrate the security practice into service management, while ISO/IEC 27001 provides certifiable ISMS requirements — they complement each other
C.ISO/IEC 27001 is mandatory before adopting ITIL 4
D.ITIL 4 prohibits using ISO/IEC 27001 controls
Explanation: ITIL 4 InfoSec Management describes how the practice integrates with the service value system and other practices. ISO/IEC 27001 provides a certifiable ISMS structure with Annex A controls. The two complement each other — ITIL operationalizes service-aware security, 27001 demonstrates governance maturity.
9In the security policy hierarchy, which document is the HIGHEST-LEVEL statement of management intent for information security?
A.A baseline configuration document
B.A procedure document
C.An information security policy
D.A technical guideline
Explanation: The hierarchy runs: Policy (management intent, mandatory) -> Standards (specific mandatory rules) -> Procedures (step-by-step how) -> Baselines (concrete settings) -> Guidelines (recommended, non-mandatory). The policy is the apex management statement.
10Which of the following is a GUIDELINE rather than a STANDARD in the security policy hierarchy?
A.All passwords must be at least 14 characters with MFA
B.Recommended approach for choosing memorable passphrases
C.Mandatory disk encryption on all corporate laptops
D.TLS 1.2 or higher is required for all external connections
Explanation: Guidelines are recommended, non-mandatory practices that help users meet standards. The other options express mandatory requirements typical of standards.

About the ITIL 4 InfoSec Exam

The ITIL 4 Practitioner: Information Security Management certification validates a professional's ability to protect the information that the organization needs to conduct its business — ensuring confidentiality, integrity, and availability (the CIA triad), plus authenticity, non-repudiation, accountability, and reliability. The 60-minute closed-book exam contains 40 multiple-choice (Objective Test Question) items and requires 70% (28 of 40) to pass. ITIL 4 Foundation is a mandatory prerequisite. The exam covers ISO/IEC 27001 ISMS structure, NIST Cybersecurity Framework 2.0, CIS Controls v8, risk-based treatment, identity and access management, Zero Trust architecture, security operations and incident response, application and cloud security, and integration of the practice across the ITIL 4 Service Value System.

Questions

40 scored questions

Time Limit

60 minutes

Passing Score

70%

Exam Fee

$310 USD (PeopleCert (AXELOS))

ITIL 4 InfoSec Exam Content Outline

15%

InfoSec Purpose, CIA Triad, and Security Objectives

Practice purpose; CIA triad plus authenticity, non-repudiation, accountability, reliability; risk-based approach; value co-creation through security

20%

Frameworks, Standards, and Governance

ISO/IEC 27001:2022 ISMS, NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover), CIS Controls v8, three lines model, policy hierarchy

15%

Risk Management and Information Classification

Risk identification, assessment, treatment (mitigate, transfer, avoid, accept), residual-risk acceptance, classification schemes, DLP

15%

Identity, Access, and Zero Trust

MFA (FIDO2, passkeys, SSO via SAML/OIDC), RBAC vs ABAC, PAM, JIT/JEA, NIST 800-207 Zero Trust, micro-segmentation, ZTNA, SASE

15%

Security Operations, Incident Response, and Threat Intel

SIEM/SOAR/EDR/XDR, NIST 800-61 incident lifecycle, forensics (chain of custody, NIST 800-86), MITRE ATT&CK, Cyber Kill Chain, STIX/TAXII

10%

Application, Cloud, and Supply-Chain Security

OWASP Top 10 (2021), SAST/DAST/IAST/SCA, SBOM (SPDX/CycloneDX), SLSA, Sigstore/Cosign, shared responsibility, CSPM, CASB, Kubernetes security

10%

Integration with ITIL Practices and SVS

Integration with Change Enablement, Incident, Problem, Risk Management, Service Continuity, Configuration Management; guiding principles applied

How to Pass the ITIL 4 InfoSec Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 40 questions
  • Time limit: 60 minutes
  • Exam fee: $310 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ITIL 4 InfoSec Study Tips from Top Performers

1Memorize the InfoSec purpose verbatim — to protect the information needed by the organization to conduct its business, with confidentiality, integrity, and availability (plus authenticity, non-repudiation, accountability, reliability)
2Master the CIA triad and which property each scenario most directly affects — ransomware (availability), data leak (confidentiality), unauthorized edit (integrity)
3Know the NIST CSF 2.0 Functions cold: Govern, Identify, Protect, Detect, Respond, Recover — Govern is the 2024 addition
4Learn the risk-based flow: identify -> assess -> treat (mitigate/transfer/avoid/accept) -> accept residual -> monitor — and remember the business owns acceptance
5Understand Zero Trust principles (verify explicitly, least privilege, assume breach) and where ZTNA, SASE, and micro-segmentation fit
6Recognize the OWASP Top 10 (2021) top entries: A01 Broken Access Control, A03 Injection, A04 Insecure Design (new), A10 SSRF (new)
7Practice ITIL integration scenarios with Change Enablement, Incident Management, Problem Management, Risk Management, and Service Continuity
8Complete full 40-question timed mocks at 60 minutes — pacing at ~90 seconds per item is the realistic budget

Frequently Asked Questions

What is the ITIL 4 Information Security Management exam format?

The ITIL 4 InfoSec exam has 40 multiple-choice (Objective Test Question) items to be completed in 60 minutes. The pass mark is 70% — at least 28 correct answers out of 40. The exam is closed-book, with only provided materials permitted. Non-native English speakers receive 75 minutes (25% extra). The exam is delivered online through PeopleCert proctoring or at authorized test centers.

What are the prerequisites for ITIL 4 Information Security Management?

ITIL 4 Foundation certification is a mandatory prerequisite. Foundation establishes the SVS, Four Dimensions, Service Value Chain, Guiding Principles, and 34 ITIL Practices that the InfoSec practice builds on. Practical experience in information security, risk management, or IT operations is recommended but not required.

What topics does ITIL 4 InfoSec cover?

Core topics include: the practice purpose and CIA triad (plus authenticity, non-repudiation, accountability, reliability); frameworks and standards (ISO/IEC 27001:2022, NIST CSF 2.0, CIS Controls v8); risk management and treatment; data classification and DLP; cryptography (AES-256, TLS 1.3, HSM, BYOK); identity and access management (MFA/FIDO2, SSO, RBAC/ABAC, PAM/JIT); Zero Trust (NIST 800-207); security operations (SIEM, SOAR, EDR/XDR); incident response (NIST 800-61); MITRE ATT&CK and Cyber Kill Chain; application security (OWASP Top 10, DevSecOps); cloud and Kubernetes security; supply-chain security (SBOM, SLSA); regulatory frameworks (GDPR, PCI DSS, NIS 2, DORA); and integration with ITIL Change Enablement, Incident, Risk, and Service Continuity.

How long should I study for the ITIL 4 InfoSec exam?

Most candidates need 25-35 hours of study, assuming current ITIL 4 Foundation knowledge. Recommended path: 1) Review the CIA triad and risk-based approach; 2) Master ISO/IEC 27001, NIST CSF 2.0 Functions, and CIS Controls v8; 3) Learn Zero Trust, IAM, and modern cryptography baselines; 4) Study SOC operations, NIST 800-61 incident response, and MITRE ATT&CK; 5) Take 2-3 timed mock exams scoring 80%+ before scheduling.

What is the CIA triad and why is it central to ITIL 4 InfoSec?

The CIA triad — Confidentiality, Integrity, Availability — is the foundational set of security objectives. ITIL 4 also recognises authenticity (proof of origin), non-repudiation (cannot deny actions), accountability, and reliability. Every control choice and risk decision is justified against impact to these properties; this framing is heavily tested on the exam.

How does ITIL 4 InfoSec relate to ISO/IEC 27001 and NIST CSF?

ITIL 4 InfoSec describes how the practice integrates with the Service Value System and other ITIL practices. ISO/IEC 27001:2022 provides a certifiable Information Security Management System (ISMS) with Annex A controls. NIST CSF 2.0 organizes security outcomes into six Functions (Govern, Identify, Protect, Detect, Respond, Recover). The frameworks complement each other — ITIL operationalizes service-aware security; ISO 27001 demonstrates governance maturity; NIST CSF helps prioritize outcomes. The exam expects familiarity with all three at a conceptual level.